CVE-2026-8802
Path Traversal in OpenSourcePOS
Publication date: 2026-05-18
Last updated on: 2026-05-18
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opensourcepos | opensourcepos | to 3.4.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8802 is a path traversal vulnerability in the OpenSourcePOS software up to version 3.4.2. It affects the getPicThumb function in the app/Controllers/Items.php file. An authenticated attacker can manipulate the pic_filename parameter to traverse directories and read arbitrary files on the server.
This happens because the function did not properly sanitize the filename input, allowing directory traversal sequences like '../../../' to escape the intended uploads directory.
The vulnerability could expose sensitive files such as .env files, configuration files, or encryption keys.
The issue was fixed by applying the basename() function to remove directory components from the filename, validating the file extension against a whitelist of allowed image types (jpg, jpeg, gif, png, webp), and returning an explicit error response for invalid file types.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to read arbitrary files on the server hosting OpenSourcePOS, potentially exposing sensitive information.
- Exposure of sensitive files such as environment configuration files (.env), which may contain database credentials or API keys.
- Disclosure of encryption keys or other confidential data stored on the server.
The confidentiality impact is high due to the ability to access sensitive files, while the integrity impact is medium because of potential unauthorized file writes.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves manipulation of the pic_filename parameter in the getPicThumb function to perform path traversal and read arbitrary files on the server.
To detect exploitation attempts on your system or network, you can monitor HTTP requests targeting the getPicThumb endpoint for suspicious path traversal patterns such as sequences like ../../../ in the pic_filename parameter.
Example commands to detect such attempts in web server logs (assuming Apache logs) include:
- grep -i 'getPicThumb' /var/log/apache2/access.log | grep -E '(\.\./){1,}'
- grep -i 'pic_filename' /var/log/apache2/access.log | grep -E '(\.\./){1,}'
Additionally, you can use intrusion detection systems (IDS) or web application firewalls (WAF) to alert on path traversal patterns in HTTP requests.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to apply the official patch identified by commit def0c27a0e252668df8d942fc31e16d1edfd7323 to your OpenSourcePOS installation.
This patch sanitizes the pic_filename parameter by using the basename() function to remove directory components and validates the file extension against a whitelist of allowed image types (jpg, jpeg, gif, png, webp). Invalid file types now return an explicit HTTP 400 error.
If immediate patching is not possible, consider restricting access to the items module to trusted users only, and monitor for suspicious activity as described.
Also, review and harden file permissions on your server to limit exposure of sensitive files.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers to read arbitrary files on the server, potentially exposing sensitive files such as configuration files, encryption keys, or environment files. This exposure of sensitive information poses a high confidentiality risk.
Such unauthorized disclosure of sensitive data could lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access.
Therefore, if exploited, this vulnerability could compromise the confidentiality of protected data, potentially resulting in violations of these regulations and associated legal and financial consequences.